ASA 5520 ASA-4-419002: Duplicate TCP SYN

Unanswered Question
Mar 14th, 2008


I have a problem, the connection between hosts on my network is not possible. I becam this Error.

%ASA-4-419002: Duplicate TCP SYN OUTSIDE: to INSIDE: with different initial sequence number.

The network behind the ASA's OUTSIDE interface is completely under my

control, with the ASA being the only gateway, so I'm reasonably sure

there's no source IP address spoofing going on.

what cann i do, to resolve this problem?



I have this problem too.
1 vote
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
marie-pongou Wed, 03/19/2008 - 00:07


It is possible to stop the Spoofing-Feature on the ASA?



iprojetos Wed, 07/21/2010 - 11:28

I had a problem exactly the same.

After hours of attempts, solved the problem by adding an ACL on the outside interface.

Strangely enough, it worked for me.

Good luck

August Ritchie Wed, 07/21/2010 - 11:50

If what you say is true, that this connection is not possible, I.E. your topology should not allow for this, then you need to look into some sort of routing error, perhaps you have a loop somewhere?

The ASA is just reacting to what traffic is receiving, so it must have received this syn on another interface and somehow the packet was also sent outside and received there as well.

The reason that denying with an access-list will work is that the packet will hit the access-list and drop before it can be checked to see if it is a duplicate syn.


This Discussion